View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017434 | CentOS-7 | selinux-policy | public | 2020-06-05 09:35 | 2020-08-06 14:23 |
Reporter | gwald | Assigned To | |||
Priority | normal | Severity | block | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 7.8-2003 | ||||
Summary | 0017434: SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /run/libvirt/virtlockd-sock | ||||
Description | SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /run/libvirt/virtlockd-sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that libvirtd should be allowed connectto access on the virtlockd-sock unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'libvirtd' --raw | audit2allow -M my-libvirtd # semodule -i my-libvirtd.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c397,c1008 Target Context system_u:system_r:virtlogd_t:s0-s0:c0.c1023 Target Objects /run/libvirt/virtlockd-sock [ unix_stream_socket ] Source libvirtd Source Path /usr/sbin/libvirtd Port <Unknown> Host al30-web09.belwue.de Source RPM Packages libvirt-daemon-4.5.0-33.el7_8.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-266.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name al30-web09.belwue.de Platform Linux al30-web09.belwue.de 3.10.0-1127.8.2.el7.x86_64 #1 SMP Tue May 12 16:57:42 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-06-05 10:59:42 CEST Last Seen 2020-06-05 10:59:42 CEST Local ID 1fef31e2-d10d-4feb-93eb-1feddf85e0f7 Raw Audit Messages type=AVC msg=audit(1591347582.859:23909): avc: denied { connectto } for pid=121435 comm="libvirtd" path="/run/libvirt/virtlockd-sock" scontext=system_u:system_r:svirt_t:s0:c397,c1008 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=SYSCALL msg=audit(1591347582.859:23909): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7f94e57b9f10 a2=6e a3=6b636f732d646b items=0 ppid=1 pid=121435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) Hash: libvirtd,svirt_t,virtlogd_t,unix_stream_socket,connectto | ||||
Steps To Reproduce | - Update to 7.8.2003 - call: /usr/bin/virt-install --connect "qemu:///system" --wait 0 --noautoconsole --vnc --accelerate --name testvm --memory 2048 --vcpus 2 --os-variant rhel7.0 --network network:default --location http://cobbler01/cblr/links/CentOS-7-DVD-2003-x86_64 --extra-args="inst.text inst.ks.sendmac console=ttyS0,115200 rd.neednet=1 inst.ks=http://cobbler01/cblr/svc/op/ks/system/testvm" --disk "cache=none,path=/srv/kvm/images/testvm-disk0,size=30,format=raw" Output: Starting install... Retrieving file vmlinuz... | 6.4 MB 00:00:00 Retrieving file initrd.img... | 53 MB 00:00:00 Allocating 'testvm-disk0' | 30 GB 00:00:00 ERROR internal error: Process exited prior to exec: libvirt: XML-RPC error : Failed to connect socket to '/var/run/libvirt/virtlockd-sock': Permission denied Removing disk 'testvm-disk0' | 0 B 00:00:00 Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///system start testvm otherwise, please restart your installation. - journalctl -t setroubleshoot | grep virtlockd-sock - sealert -l <THE-UUID-YOU-SEE> | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
A "yum update", which brought "libvirt-4.5.0-33.el7_8.1" and "selinux-policy-*3.13.1-266.el7" solved the Problem | |
Grrr - test was on the wrong machine :-(( Problem still exists: #> cat /etc/redhat-release CentOS Linux release 7.8.2003 (Core) #> yum list libvirt 'selinux*' libvirt.x86_64 4.5.0-33.el7_8.1 selinux-policy.noarch 3.13.1-266.el7 selinux-policy-targeted.noarch 3.13.1-266.el7 |
|
More investigation: - Install CentOS 7.7 - Update to CentOS 7.8 - Aktivate lock_manager = "lockd" in "/etc/libvirt/qemu.conf" - The above Error occurs Without updating “selinux-policy” and “selinux-policy-targeted” from Version 3.13.1-252.el7_7.6 to 3.13.1-266.el7 it works |
|
In our case we also use NFS so we have: #> getsebool virt_use_nfs virt_use_nfs --> on So our workaround is: - Building the Module as suggested in the first report -> ausearch -c 'libvirtd' --raw | audit2allow -M libvirtd_fix - PLUS building a Module from another "sealert -l <UUID>" -> ausearch -c 'virtlockd' --raw | audit2allow -M virtlockd_fix |
|
I could workaround the issue with the above instructions, thanks! The problem seems to be that in 7.7 virtlockd was labeled virtd_exec_t, but in 7.8 it is labeled virtlogd_exec_t, which seems to be wrong. This change was done in selinux-policy 3.13.1-253 for https://bugzilla.redhat.com/show_bug.cgi?id=1714896. But apparently upstream has a patch which introduces a specific virtlockd_exec_t label and related policy for libvirtlock: http://oss.tresys.com/pipermail/refpolicy/2015-September/007740.html, but it does not seem to be integrated with the package in CentOS 7.8. Note also that this problem is also reported upstream at https://bugzilla.redhat.com/show_bug.cgi?id=1792713 |
|